Back to skill
Skillv3.5.7
VirusTotal security
Catchclaw Agentar · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 5:42 AM
- Hash
- b4cf4d5fb947d916811fdde04a9441d2cc494ae8a680235096dc148b86bf77af
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: catch-claw Version: 3.5.7 The skill provides agent management functionality (search, install, export) but contains obfuscated code in `agentar_cli.mjs` to resolve the `child_process` module (using `builtinModules.find` with character matching), a common technique for evading static analysis. While the script includes security-conscious logic—such as explicitly filtering sensitive files (.env, .key, .credentials) during exports and creating backups before overwriting workspaces—the intentional hiding of process execution capabilities is a significant red flag. The CLI also performs 'metadata enrichment' by programmatically prompting the agent via the `openclaw` binary, which creates a complex self-invocation loop.
- External report
- View on VirusTotal